5 files changed, 81 insertions, 0 deletions

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 96ccd87a407..fef5328d093 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -16,6 +16,11 @@ module Gitlab
       expose :issues_enabled, :merge_requests_enabled, :wall_enabled, :wiki_enabled, :created_at
     end
 
+    class UsersProject < Grape::Entity
+      expose :user, using: Entities::UserBasic
+      expose :project_access
+    end
+
     class RepoObject < Grape::Entity
       expose :name, :commit
     end
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index ce7b7b497fc..c0ba874790a 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -21,5 +21,21 @@ module Gitlab
     def authenticate!
       error!({'message' => '401 Unauthorized'}, 401) unless current_user
     end
+
+    def authorize! action, subject
+      unless abilities.allowed?(current_user, action, subject)
+        error!({'message' => '403 Forbidden'}, 403)
+      end
+    end
+
+    private 
+
+    def abilities
+      @abilities ||= begin
+                       abilities = Six.new
+                       abilities << Ability
+                       abilities
+                     end
+    end
   end
 end
diff --git a/lib/api/issues.rb b/lib/api/issues.rb
index 68cb7e059b9..4cfa7500e33 100644
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -79,6 +79,8 @@ module Gitlab
       #   PUT /projects/:id/issues/:issue_id
       put ":id/issues/:issue_id" do
         @issue = user_project.issues.find(params[:issue_id])
+        authorize! :modify_issue, @issue
+
         parameters = {
           title: (params[:title] || @issue.title),
           description: (params[:description] || @issue.description),
diff --git a/lib/api/milestones.rb b/lib/api/milestones.rb
index 29f5efa41d6..7c68466760f 100644
--- a/lib/api/milestones.rb
+++ b/lib/api/milestones.rb
@@ -61,6 +61,8 @@ module Gitlab
       # Example Request:
       #   PUT /projects/:id/milestones/:milestone_id
       put ":id/milestones/:milestone_id" do
+        authorize! :admin_milestone, user_project
+
         @milestone = user_project.milestones.find(params[:milestone_id])
         parameters = {
           title: (params[:title] || @milestone.title),
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index d45d1d82d40..05b07e8def4 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -54,6 +54,58 @@ module Gitlab
         end
       end
 
+      # Get project users
+      #
+      # Parameters:
+      #   id (required) - The ID or code name of a project
+      # Example Request:
+      #   GET /projects/:id/users
+      get ":id/users" do
+        @users_projects = paginate user_project.users_projects
+        present @users_projects, with: Entities::UsersProject
+      end
+
+      # Add users to project with specified access level
+      #
+      # Parameters:
+      #   id (required) - The ID or code name of a project
+      #   user_ids (required) - The ID list of users to add
+      #   project_access (required) - Project access level
+      # Example Request:
+      #   POST /projects/:id/users
+      post ":id/users" do
+        authorize! :admin_project, user_project
+        user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access])
+        nil
+      end
+
+      # Update users to specified access level
+      #
+      # Parameters:
+      #   id (required) - The ID or code name of a project
+      #   user_ids (required) - The ID list of users to add
+      #   project_access (required) - New project access level to
+      # Example Request:
+      #   PUT /projects/:id/add_users
+      put ":id/users" do
+        authorize! :admin_project, user_project
+        user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access])
+        nil
+      end
+
+      # Delete project users
+      #
+      # Parameters:
+      #   id (required) - The ID or code name of a project
+      #   user_ids (required) - The ID list of users to delete
+      # Example Request:
+      #   DELETE /projects/:id/users
+      delete ":id/users" do
+        authorize! :admin_project, user_project
+        user_project.delete_users_ids_from_team(params[:user_ids].values)
+        nil
+      end
+
       # Get a project repository branches
       #
       # Parameters:
@@ -137,6 +189,8 @@ module Gitlab
       #   PUT /projects/:id/snippets/:snippet_id
       put ":id/snippets/:snippet_id" do
         @snippet = user_project.snippets.find(params[:snippet_id])
+        authorize! :modify_snippet, @snippet
+
         parameters = {
           title: (params[:title] || @snippet.title),
           file_name: (params[:file_name] || @snippet.file_name),
@@ -160,6 +214,8 @@ module Gitlab
       #   DELETE /projects/:id/snippets/:snippet_id
       delete ":id/snippets/:snippet_id" do
         @snippet = user_project.snippets.find(params[:snippet_id])
+        authorize! :modify_snippet, @snippet
+
         @snippet.destroy
       end